a43e498164dbe5dd8246c249a62a56806b3188dc6c096b31abb31d792ae3b645

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 20:08

Target

a43e498164dbe5dd8246c249a62a56806b3188dc6c096b31abb31d792ae3b645.dll
Size

292KB
MD5

00661f503d6cf032a1c550b6e5e29910
SHA1

41512d93c5350a33a38e0cee870838574de20271
SHA256

a43e498164dbe5dd8246c249a62a56806b3188dc6c096b31abb31d792ae3b645
SHA512

5736b0279a3630ebe07f7edf69493bc0eb73fd8368b5f2d62a6b77debc9ea18899b5521e63cf3c6c3950b0a996337ef30de3614e699cac05849ea53a285edb9b
SSDEEP

3072:52ksZrfDIKKyuMKQoT7HtvFMZaqoauVP8jT7Z/JnDHjOIC5dNJFQot90ApBJdH41:Aks7uNQohFFgoPu/TmJF5t91mMu

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2708	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000a000000022f3f-134.dat	upx
behavioral2/files/0x000a000000022f3f-135.dat	upx
behavioral2/memory/2708-137-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3440	2708	WerFault.exe	83
1176	2204	WerFault.exe	82

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2204	3020	rundll32.exe	82
PID 3020 wrote to memory of 2204	3020	rundll32.exe	82
PID 3020 wrote to memory of 2204	3020	rundll32.exe	82
PID 2204 wrote to memory of 2708	2204	rundll32.exe	83
PID 2204 wrote to memory of 2708	2204	rundll32.exe	83
PID 2204 wrote to memory of 2708	2204	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a43e498164dbe5dd8246c249a62a56806b3188dc6c096b31abb31d792ae3b645.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a43e498164dbe5dd8246c249a62a56806b3188dc6c096b31abb31d792ae3b645.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:2708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 264
      4⤵
      Program crash
      PID:3440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 616
    3⤵
    - Program crash
    PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2708 -ip 2708
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2204 -ip 2204
1⤵
PID:5056

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
c2c30212b5c6129c82ecae4268a507ac

SHA1
4b2882060efb1742c454e0b647bbbc94d71f7859

SHA256
04d40ff3da891e8c120e622fdff2004c933433ff6b88a77afbda2235b2be83ab

SHA512
0a4eabaf6cf04793beeb5851804a626f431a681fab9b63d5c2409717c21c3148ee74069100018b5878984b18628161b6c79118b1eccf129c65ab1d1984315c19

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
c2c30212b5c6129c82ecae4268a507ac

SHA1
4b2882060efb1742c454e0b647bbbc94d71f7859

SHA256
04d40ff3da891e8c120e622fdff2004c933433ff6b88a77afbda2235b2be83ab

SHA512
0a4eabaf6cf04793beeb5851804a626f431a681fab9b63d5c2409717c21c3148ee74069100018b5878984b18628161b6c79118b1eccf129c65ab1d1984315c19

Download Submit
memory/2204-136-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/2708-137-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download